Parents and Educators Should Embrace, Not Fear, Student Data

When it comes to managing student data, most school districts receive a failing grade. Too often, schools spread student data across a multitude of incompatible systems which makes performing analytics difficult and expensive. To help K-12 schools save time and money, the non-profit venture inBloom has developed a service to help states unify disparate and non-standardized sources of student data into a single, analytics-friendly database. The organization, backed by the Gates Foundation and the Carnegie Corporation, wants to make student data available to educators, so they can better help their students, and assist parents in becoming more involved in their children’s educational progress. Eventually the non-profit envisions its service as a platform for developers to create personalized teaching and learning apps.

Unfortunately, misdirected outrage from some parents has forestalled these benefits as last month the Colorado State Board of Education ended its partnership with inBloom, becoming the seventh of nine original partner states to suspend or substantially reduce their commitments to use the nonprofit’s services to consolidate and manage student data. Most of the objections about inBloom reflect ignorance about the law or technology. One common complaint, repeated in the New York Times, was that inBloom’s Privacy and Security Policy (see section IV, part E: Breach Remediation) did not guarantee the security of student data. Its policy says “inBloom, Inc. cannot guarantee the security of the information stored in inBloom or that the information will not be intercepted when it is being transmitted.” While that language might sound scary to a non-lawyer, this disclaimer is virtually identical to the disclosures found on virtually every other online service. For example, the policy for the popular data backup service DropBox states “No method of electronic transmission or storage is 100% secure, however. Therefore, we cannot guarantee its absolute security.”

Organizations do not use these disclaimers because their systems are insecure, they use them because it is impossible to guarantee that a system cannot be hacked, and if they did so, they would be exposing themselves to significant liability. Furthermore, inBloom appears to have implemented extensive physical, technical and administrative security safeguards. Skeptics can even look at the code itself, since inBloom has made the open-source software it uses freely available for independent audit on GitHub. Moreover, transitioning student data to cloud-based storage is a step up in security for most school districts. inBloom’s single-access point system would provide uniform protection for data that is currently spread across multiple systems with ad-hoc security controls, making it more difficult for third parties to compromise the data. Ironically, in the statement announcing the end of the inBloom partnership, Colorado Education Commissioner Robert Hammond acknowledged that his work with the nonprofit alerted him to potential weaknesses in the state’s own data storage practices.

Some parents also expressed concern that students’ data would be sold to private companies without their consent, a charge that is both false and misleading. inBloom’s policies explicitly state that it will never sell confidential student data and that school districts have full control in determining what data to store, who will have access, and how it will be used. School districts (not inBloom) can grant educational technology companies access to their data to develop teaching applications, but they already have this authority today. Of course parents should have a say in how their children’s data will be used, but this is a negotiation parents can continue to have with their elected officials; claims that inBloom can decide this for them are simply false.

Finally, some people, such as Sen. Ed Markey (D-MA), are concerned that having private-sector companies manage student data creates a privacy risk. However, there is no inherent risk since school districts can use contract law to require third-party contractors to keep data confidential. Since this is an important issue that all school districts will face, the Department of Education should help mitigate this risk by providing model contract language for school districts to use when procuring data services from the private sector.

The original nine partners announced this February were Colorado, Delaware, Georgia, Illinois, Kentucky, New York, North Carolina, Massachusetts and Louisiana; today, only New York and Illinois are actively pursuing the program. Illinois plans to launch in 2014 in two counties. New York is already using inBloom’s services; however, opposition is mounting. New York City mayor-elect Bill de Blasio has indicated that he will pull New York City student data from the inBloom database as soon as possible, and a number of bills have been introduced in the New York State Senate to require parental consent before storing students’ personally identifiable information with a third-party.

These events represent a setback in the effort to bring data-driven innovation to K-12 education where the lack of data standards and interoperability has made it difficult to create applications for personalized learning. Whether with inBloom’s system or another yet to come, school districts should welcome opportunities to consolidate student data, reduce their dependence on insecure legacy systems, and begin using student data to improve learning outcomes. Hopefully, some good may still come out of this as debate over inBloom’s service serves as a “teachable moment” to help parents and others understand the potential benefits of data.

Daniel Castro is the director of the Center for Data Innovation and vice president of the Information Technology and Innovation Foundation. Mr. Castro writes and speaks on a variety of issues related to information technology and internet policy, including data, privacy, security, intellectual property, internet governance, e-government, and accessibility for people with disabilities. His work has been quoted and cited in numerous media outlets, including The Washington Post, The Wall Street Journal, NPR, USA Today, Bloomberg News, and Businessweek. In 2013, Mr. Castro was named to FedScoop’s list of “Top 25 most influential people under 40 in government and tech.” In 2015, U.S. Secretary of Commerce Penny Pritzker appointed Mr. Castro to the Commerce Data Advisory Council.
Mr. Castro previously worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies, including the Securities and Exchange Commission (SEC) and the Federal Deposit Insurance Corporation (FDIC). In addition, Mr. Castro was a Visiting Scientist at the Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania where he developed virtual training simulations to provide clients with hands-on training of the latest information security tools. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.

Travis Korte is a research analyst at the Center for Data Innovation specializing in data science applications and open data. He has a background in journalism, computer science and statistics. Prior to joining the Center for Data Innovation, he launched the Science vertical of The Huffington Post and served as its Associate Editor, covering a wide range of science and technology topics. He has worked on data science projects with HuffPost and other organizations. Before this, he graduated with highest honors from the University of California, Berkeley, having studied critical theory and completed coursework in computer science and economics. His research interests are in computational social science and using data to engage with complex social systems. You can follow him on Twitter @traviskorte.